Zone Identifier ADS's 

With the Advent of XP SP2 when a file 1 is downloaded from the internet (i.e. by clicking 
on a link in explorer ) to an NTFS volume an Alternate Data Stream (Zone. Identifier) is 
created along side the downloaded file (i.e. downloadedfile.exe:zone. identifier). The 
content of this file is used as a security by Windows XP as security data to determine the 
publisher/source of the file 
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For a file downloaded from the Internet the content is typically 

[ZoneTransfer] 

ZoneId=3 



Checked with exe and zip files 



Note that a download from the internet via FTP using, say, CuteFTP or ftp via explorer will not result in 
an ADS being created 



When you/the user chooses to execute the file a suitable waning as below is displayed 



Open File - Security Warning 



The publisher could not be verified. Are you sure you want to 
run this software? L\ 

Name: 



Publisher 
Type 
From 



tapecatsetup.exe 
Unknown Publisher 

Application 
C:\zones 



Run 



Cancel 



3 Always ask before opening this file 



This file does not have a valid digital signature that verifies its 
publisher. You should only run software from publishers you trust. 
How can I decide what software to run? 



If the user chooses to Run the file 
but leaves the 'Always ask 
before opening this file' box 
checked the each time the file is 
run the dialog above will be 
displayed. 

If the user un-checks the 'always 
ask. . ." box then the ADS will be 
deleted. 



By looking at the properties of the file (right click - choose properties) the dialog below 
is displayed 



tapecatsetup.exe Properties 



General | Version | Compatibility! Security | 3t^nmary| 
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tapecatsetup.exe 








Type of file: 
Description: 


Application 
Setup Launcher 




Location: 

Size: 

Size on disk: 


I:\zones 

3.70 MB (9,1 25,287 bytes) 

8.70 MB (9,1 25,888 bytes) 




Created: 
Modified: 
Accessed: 


21 September 2005, 20:41:38 
21 8eptember 2005, 20:41 :38 
21 3eptember 2005, 20:41 :38 




Attributes: 
Security: 






Zi Read-only □ Hidden [Advanced... 




I his tile came trom another , i n L.| n rk 




lelp protect this computer. 





OK 



Cancel 



Apply 



Note the security warning. 

If the user clicks on the unblock button 
the ADS is deleted. 



What does this mean forensically? 



My research has been very limited but it seems that the zone referred to in the above is 
the security zones referenced in the Internet Options as below. 



Internet Options 



an 



General 



Security 



Privacy Content Connections Programs Advanced 



Select a Web content zone to specify its security settings. 




Internet 

This zone contains all Web sites you 
haven't placed in other zones 



Sites.. 



Security level for this zone 

Custom k 

Custom settings. ^S 

- To change the settings, click Custom Level. 

- To use the recommended settings, click Default Level. 


Custom Level... Default Level 





OK 



Cancel 



Apply 



A link on MSDN enumerates the values that different zones can have. In general you 
should not see most of these and I expect that values in the Zone. Identifier are likely to be 
limited to values URLZONE_INTRANET and URLZONEJNTERNET (see below) and 
possibly URLZONE_UNTRUSTED. This of course still gives us useful intelligence as to 
where a file was obtained from 



The values in the following table are either explicitly assigned, i.e. 
URLZONE_USER_MIN = 1000 or are incrementing numbers i.e. 
URLZONEJNTRANET = 1 
URLZONE_TRUSTED = 2 

URLZONEJNTERNET = 3 
URLZONE UNTRUSTED =4 



typedef enum tagURLZONE { 

URLZONE_PREDEFINED_MIN = 0, 
URLZONE_LOCAL_MACHINE = 0, 
URLZONEJNTRANET, 
URLZONE_TRUSTED, 
URLZONE_INTERNET, 
URLZONE_UNTRUSTED, 
URLZONE_PREDEFINED_MAX = 999, 
URLZONE_USER_MIN = 1000, 
URLZONE_USER_MAX = 10000 

} URLZONE; 



Experiment has shown that if you place a web site into the trusted zone then an ADS is 
not created when a file is downloaded. 



